Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP sp3 Crash on browser startup


  • This topic is locked This topic is locked
22 replies to this topic

#1 burntout

burntout

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 16 September 2011 - 06:19 PM

First, the link back to my original post:

Browser Crash

The results from the DDS and GMER scans:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Run by Administrator at 18:41:39 on 2011-09-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.349 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\f.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 3.1\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.92.226.11 24.92.226.12
TCP: Interfaces\{E1C8DAA8-C2EA-4DC3-9758-AFEB2B742C85} : DhcpNameServer = 24.92.226.11 24.92.226.12
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\docume~1\ish\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\docume~1\ish\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2011-7-12 67664]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 MpKslb8911f25;MpKslb8911f25;\??\c:\windows\system32\mpenginestore\mpkslb8911f25.sys --> c:\windows\system32\mpenginestore\MpKslb8911f25.sys [?]
S2 lvlvimtkzyij;lvlvimtkzyij;\??\c:\windows\system32\drivers\gkjpygxr.sys --> c:\windows\system32\drivers\gkjpygxr.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-12 947528]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriver.sys --> c:\windows\system32\drivers\AVGIDSDriver.Sys [?]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilter.sys --> c:\windows\system32\drivers\AVGIDSFilter.Sys [?]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshim.sys --> c:\windows\system32\drivers\AVGIDSShim.Sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-9-2 22712]
S3 NETwLx32; Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit;c:\windows\system32\drivers\NETwLx32.sys [2011-9-7 6609920]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [2008-1-9 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [2008-1-9 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [2008-1-9 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [2008-1-9 59520]
S4 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S4 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\avgidseh.sys --> c:\windows\system32\drivers\AVGIDSEH.Sys [?]
S4 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
S4 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
S4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
S4 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-5-25 99248]
S4 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-2 366640]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
.
=============== Created Last 30 ================
.
2011-09-14 21:39:03 -------- d-----w- c:\program files\Cobian Backup 8
2011-09-08 00:11:25 -------- d-----w- c:\documents and settings\all users\application data\AVG Security Toolbar
2011-09-07 23:59:00 -------- d-----w- c:\documents and settings\administrator\application data\AVG
2011-09-07 23:49:50 675840 ------w- c:\windows\system32\NETwLc32.dll
2011-09-07 23:49:50 6609920 ------w- c:\windows\system32\drivers\NETwLx32.sys
2011-09-07 23:49:50 2756608 ------w- c:\windows\system32\NETwLr32.dll
2011-09-07 22:16:30 -------- d-----w- c:\windows\pss
2011-09-06 22:12:37 172032 ------w- c:\windows\system32\igfxres.dll
2011-09-06 22:09:44 920088 ------w- c:\windows\system32\igxpun.exe
2011-09-06 22:09:44 -------- d-----w- c:\windows\system32\x64
2011-09-06 21:42:16 526378 ------w- c:\windows\system32\PerfStringBackup.TMP
2011-09-04 15:39:51 -------- d-----w- c:\documents and settings\administrator\application data\AVG10
2011-09-04 15:39:01 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Apple Computer
2011-09-04 15:37:42 -------- d-----w- c:\documents and settings\administrator\application data\FaxCtr
2011-09-04 15:31:59 -------- d-----w- c:\program files\CCleaner
2011-09-04 12:53:07 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-09-04 12:52:29 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-03 23:50:01 924632 ------w- c:\program files\mozilla firefox\f.exe
2011-09-03 22:54:29 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
2011-09-03 19:00:44 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-09-03 17:56:29 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-09-03 15:56:50 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-02 16:30:12 41272 ------w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-02 16:30:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-09-02 16:30:08 22712 ------w- c:\windows\system32\drivers\mbam.sys
2011-09-02 16:30:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK1234GSX rev.AH001A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x869D8ECC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xa856c879; SUB DWORD [EBP-0x4], 0xa856c135; PUSH EDI; CALL 0xffffffffffffdf2c; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86B52AB8]
3 CLASSPNP[0xF76DEFD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000089[0x86BD07E0]
5 ACPI[0xF7635620] -> nt!IofCallDriver[0x804E13B9] -> [0x86AC9D98]
[0x86AF7CC0] -> IRP_MJ_CREATE -> 0x869D8ECC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1234GSX_______________________AH001A__#5&35291d97&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x869D8AF1
user & kernel MBR OK
sectors 234441646 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:42:51.31 ===============


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-16 19:03:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK1234GSX rev.AH001A
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwtdrpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\DOCUME~1\Ish\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA048640]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF65FAEBF]
.rsrc C:\WINDOWS\system32\DRIVERS\i8042prt.sys entry point in ".rsrc" section [0xF78E8194]
? C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious PE modification
? C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 01026E80 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 01028E40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 01025640 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!ReadFile 7C801812 5 Bytes JMP 01026FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01029040 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateFileMappingW 7C80943C 5 Bytes JMP 01028A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileAttributesW 7C80B7EC 5 Bytes JMP 01027B70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!OpenFileMappingW 7C80BB7A 5 Bytes JMP 01028D20 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!DuplicateHandle 7C80DE9E 5 Bytes JMP 0102A750 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindFirstFileExW 7C80EB1D 5 Bytes JMP 010286B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindClose 7C80EE77 5 Bytes JMP 010287C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindFirstFileW 7C80EF81 5 Bytes JMP 010285C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindNextFileW 7C80EFDA 5 Bytes JMP 010288A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01029560 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileSizeEx 7C810AA9 5 Bytes JMP 01027900 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileSize 7C810B17 5 Bytes JMP 01027830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!SetFilePointer 7C810C2E 5 Bytes JMP 010275A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 01027270 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileType 7C810EF1 5 Bytes JMP 01027EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileAttributesExW 7C811195 5 Bytes JMP 01027BF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileAttributesA 7C8115DC 5 Bytes JMP 01027AF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FlushFileBuffers 7C8126E1 5 Bytes JMP 01027520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindFirstFileA 7C813879 5 Bytes JMP 010284D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!SetFilePointerEx 7C821057 5 Bytes JMP 010276F0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!MoveFileW 7C821261 5 Bytes JMP 0102A150 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CopyFileA 7C8286EE 5 Bytes JMP 01029AA0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!CopyFileW 7C82F87B 5 Bytes JMP 01029CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetFileTime 7C831C4D 5 Bytes JMP 01027CE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!SetFileTime 7C831CC0 5 Bytes JMP 01027DE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!DeleteFileA 7C831EDD 5 Bytes JMP 01028080 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!DeleteFileW 7C831F63 5 Bytes JMP 010281C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!SetEndOfFile 7C832076 5 Bytes JMP 010279D0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!UnlockFile 7C8322EC 1 Byte [E9]
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!UnlockFile 7C8322EC 5 Bytes JMP 01027FF0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!LockFile 7C832391 5 Bytes JMP 01027F60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!FindNextFileA 7C834EE1 5 Bytes JMP 01028830 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!_hread 7C8353FE 5 Bytes JMP 01028300 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!_llseek 7C835436 5 Bytes JMP 01028440 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!MoveFileExW 7C83568B 5 Bytes JMP 0102A3C0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!GetShortPathNameA 7C835BE0 5 Bytes JMP 01028910 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!MoveFileA 7C835EBF 5 Bytes JMP 01029EE0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!ReplaceFile 7C836C6C 5 Bytes JMP 0102A650 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] kernel32.dll!_hwrite 7C838B17 5 Bytes JMP 010283A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 01026240 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!BitBlt 77F16F79 5 Bytes JMP 01025CC0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!StretchBlt 77F1B6D0 5 Bytes JMP 01026070 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetPixel 77F1B74C 5 Bytes JMP 01025E70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CreateDCA 77F1B7D2 5 Bytes JMP 010257A0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CreateDCW 77F1BE38 5 Bytes JMP 01025980 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CopyEnhMetaFileW 77F270CC 5 Bytes JMP 01026C70 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CopyMetaFileW 77F2C3ED 5 Bytes JMP 01026A60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!CopyMetaFileA 77F2C52B 5 Bytes JMP 01026630 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetMetaFileW 77F3853D 5 Bytes JMP 01026840 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetEnhMetaFileW 77F397A3 5 Bytes JMP 01026950 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetMetaFileA 77F44216 5 Bytes JMP 01026410 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!StartDocW 77F45962 5 Bytes JMP 0102D190 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!StartDocA 77F45E79 5 Bytes JMP 0102C1E0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] GDI32.dll!GetEnhMetaFileA 77F4AE35 5 Bytes JMP 01026520 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] USER32.dll!ReleaseDC 7E41869D 5 Bytes JMP 010261B0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] USER32.dll!GetDC 7E4186C7 5 Bytes JMP 01025B60 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] USER32.dll!GetWindowDC 7E419021 5 Bytes JMP 01025C50 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] USER32.dll!PrintWindow 7E423810 5 Bytes JMP 01026340 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] USER32.dll!GetDCEx 7E42C595 5 Bytes JMP 01025BD0 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1580] ole32.dll!DoDragDrop 775D0DBD 5 Bytes JMP 01028F40 C:\Program Files\Oracle\Information Rights Management\Desktop\SEALNT.dll (Oracle IRM Library/Oracle Corporation)
.text C:\Program Files\Mozilla Firefox\f.exe[2980] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\f.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3468] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 106AA800 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3468] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 106AA792 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3468] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104B229C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3468] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104B2861 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 869D8AF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 869D8AF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 869D8AF1
Device \FileSystem\Cdfs \Cdfs A8BB8400
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1234GSX_______________________AH001A__#5&35291d97&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACuiuwyrownkyxfak.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACuiuwyrownkyxfak.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACdqoenqoekypnbmc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACdjbpptbkliqltgh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uaclog \\?\globalroot\systemroot\system32\UACtitqfqjwbokruqk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACfmpmhskltoirdio.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACrrrwrsmyaqamimp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACixevglrrswjcqrj.dll
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACproc \\?\globalroot\systemroot\system32\UACtjlqsojdmowcjeo.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacurls \\?\globalroot\systemroot\system32\UACqpkpnqyhahegbwx.log
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacerrors \\?\globalroot\systemroot\system32\UACvasnsmkwovvwioj.log
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\Implemented Categories\{C501EDBE-9E70-11D1-9053-00C04FD9189D}
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\InprocServer32@ C:\WINDOWS\system32\Dxtmsft.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\ProgID@ DXImageTransform.Microsoft.Iris.1
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\ToolBoxBitmap32@ C:\WINDOWS\system32\Dxtmsft.dll,235
Reg HKLM\SOFTWARE\Classes\CLSID\{0789FD72-8CDF-9146-5753-71D29736F06C}\VersionIndependentProgID@ DXImageTransform.Microsoft.Iris

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\i8042prt.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

The attach.zip file is um attached :wink:

Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 17 September 2011 - 05:25 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 07:40 AM

I downloaded combofix to the desktop, disabled AVG and shutdown SuperAntiSpyware. Unfortunately I got a black screen just after the licence agreement button while it appeared to be extracting its contents.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 07:50 AM

OK, delete the copy that you have and download a fresh copy, rename it to svchost.exe and save it directly to your c:\drive

navigate to c:\svchost.exe and run it > make sure all other windows are closed and your security programs are disabled.

If it still wont run in normal mode > boot to safe mode and run it


To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Edited by CatByte, 18 September 2011 - 07:51 AM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 08:17 AM

First attempt at new download and rename, same black screen. The safe mode attempt resulted in a blue screen with the following error:

***STOP: 0X0000007E (0XC0000005,0X86A43922,0XF7AD57B0,0XF7AD54AC)

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 09:11 AM

Please run the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 09:31 AM

The requested log:

2011/09/18 10:25:00.0967 4052 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/18 10:25:01.0436 4052 ================================================================================
2011/09/18 10:25:01.0451 4052 SystemInfo:
2011/09/18 10:25:01.0451 4052
2011/09/18 10:25:01.0451 4052 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/18 10:25:01.0451 4052 Product type: Workstation
2011/09/18 10:25:01.0451 4052 ComputerName: ALISHA
2011/09/18 10:25:01.0451 4052 UserName: Administrator
2011/09/18 10:25:01.0451 4052 Windows directory: C:\WINDOWS
2011/09/18 10:25:01.0451 4052 System windows directory: C:\WINDOWS
2011/09/18 10:25:01.0451 4052 Processor architecture: Intel x86
2011/09/18 10:25:01.0451 4052 Number of processors: 2
2011/09/18 10:25:01.0451 4052 Page size: 0x1000
2011/09/18 10:25:01.0451 4052 Boot type: Normal boot
2011/09/18 10:25:01.0451 4052 ================================================================================
2011/09/18 10:25:02.0920 4052 Initialize success
2011/09/18 10:25:20.0578 2164 ================================================================================
2011/09/18 10:25:20.0578 2164 Scan started
2011/09/18 10:25:20.0578 2164 Mode: Manual;
2011/09/18 10:25:20.0578 2164 ================================================================================
2011/09/18 10:25:21.0000 2164 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/18 10:25:21.0015 2164 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/18 10:25:21.0078 2164 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/18 10:25:21.0140 2164 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/09/18 10:25:21.0203 2164 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/09/18 10:25:21.0468 2164 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/09/18 10:25:21.0859 2164 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/18 10:25:21.0953 2164 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/09/18 10:25:22.0000 2164 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/18 10:25:22.0031 2164 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/18 10:25:22.0094 2164 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/18 10:25:22.0250 2164 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/18 10:25:22.0375 2164 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/18 10:25:22.0437 2164 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/18 10:25:22.0469 2164 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/18 10:25:22.0515 2164 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/18 10:25:22.0547 2164 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/18 10:25:22.0625 2164 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/18 10:25:22.0672 2164 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/18 10:25:22.0890 2164 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/18 10:25:22.0922 2164 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/09/18 10:25:22.0953 2164 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/09/18 10:25:22.0984 2164 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/09/18 10:25:23.0000 2164 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/09/18 10:25:23.0016 2164 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/09/18 10:25:23.0047 2164 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/09/18 10:25:23.0062 2164 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/09/18 10:25:23.0078 2164 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/09/18 10:25:23.0109 2164 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/09/18 10:25:23.0172 2164 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/18 10:25:23.0250 2164 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/18 10:25:23.0391 2164 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/18 10:25:23.0437 2164 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/18 10:25:23.0500 2164 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/18 10:25:23.0562 2164 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/09/18 10:25:23.0641 2164 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/09/18 10:25:23.0812 2164 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/09/18 10:25:23.0844 2164 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/18 10:25:23.0937 2164 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/18 10:25:23.0984 2164 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/18 10:25:24.0016 2164 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/18 10:25:24.0031 2164 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/18 10:25:24.0094 2164 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/18 10:25:24.0234 2164 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/18 10:25:24.0297 2164 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/18 10:25:24.0359 2164 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/18 10:25:24.0422 2164 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/18 10:25:24.0453 2164 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/18 10:25:24.0484 2164 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/18 10:25:24.0688 2164 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/18 10:25:24.0766 2164 i8042prt (107f61e666571664facbf1a01c9a8a75) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/18 10:25:24.0766 2164 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 107f61e666571664facbf1a01c9a8a75, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/09/18 10:25:24.0781 2164 i8042prt - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/09/18 10:25:25.0078 2164 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/18 10:25:25.0453 2164 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/18 10:25:25.0719 2164 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/18 10:25:25.0922 2164 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/18 10:25:25.0969 2164 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/18 10:25:26.0000 2164 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/18 10:25:26.0047 2164 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/18 10:25:26.0094 2164 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/18 10:25:26.0125 2164 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/18 10:25:26.0281 2164 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/18 10:25:26.0328 2164 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/18 10:25:26.0344 2164 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2011/09/18 10:25:26.0422 2164 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/18 10:25:26.0469 2164 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/18 10:25:26.0500 2164 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
2011/09/18 10:25:26.0547 2164 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/18 10:25:26.0797 2164 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/18 10:25:26.0828 2164 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
2011/09/18 10:25:26.0891 2164 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/18 10:25:26.0922 2164 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/18 10:25:26.0985 2164 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/18 10:25:27.0016 2164 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/18 10:25:27.0110 2164 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/18 10:25:27.0203 2164 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/18 10:25:27.0281 2164 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/18 10:25:27.0360 2164 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/18 10:25:27.0406 2164 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/18 10:25:27.0453 2164 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/18 10:25:27.0485 2164 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/18 10:25:27.0547 2164 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/18 10:25:27.0672 2164 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/18 10:25:27.0719 2164 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/18 10:25:27.0750 2164 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/18 10:25:27.0813 2164 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/18 10:25:27.0844 2164 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/18 10:25:27.0860 2164 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/18 10:25:27.0907 2164 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/18 10:25:27.0938 2164 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/18 10:25:27.0985 2164 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/18 10:25:28.0094 2164 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
2011/09/18 10:25:28.0438 2164 NETwLx32 (72062b53186e4a3f5fcbc41ebb62b905) C:\WINDOWS\system32\DRIVERS\NETwLx32.sys
2011/09/18 10:25:28.0891 2164 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/18 10:25:28.0938 2164 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/18 10:25:28.0969 2164 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/18 10:25:29.0032 2164 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/18 10:25:29.0063 2164 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/18 10:25:29.0094 2164 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/18 10:25:29.0266 2164 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/09/18 10:25:29.0297 2164 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/09/18 10:25:29.0313 2164 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/09/18 10:25:29.0391 2164 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/09/18 10:25:29.0438 2164 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/18 10:25:29.0485 2164 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/18 10:25:29.0500 2164 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/18 10:25:29.0547 2164 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/18 10:25:29.0688 2164 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/18 10:25:29.0719 2164 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/18 10:25:29.0766 2164 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/18 10:25:29.0938 2164 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2011/09/18 10:25:29.0969 2164 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/18 10:25:30.0000 2164 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/18 10:25:30.0047 2164 PTDMBus (785e1032c8f3c8c60aa8e2b7fe377869) C:\WINDOWS\system32\DRIVERS\PTDMBus.sys
2011/09/18 10:25:30.0110 2164 PTDMMdm (924c2b2dca76d2bd7d44b3bb968b344f) C:\WINDOWS\system32\DRIVERS\PTDMMdm.sys
2011/09/18 10:25:30.0141 2164 PTDMVsp (58ad3ccdd567fa45fd94af15229ace7c) C:\WINDOWS\system32\DRIVERS\PTDMVsp.sys
2011/09/18 10:25:30.0282 2164 PTDMWWAN (49f773decbcd6a555c7a8694d37d232e) C:\WINDOWS\system32\DRIVERS\PTDMWWAN.sys
2011/09/18 10:25:30.0313 2164 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/18 10:25:30.0344 2164 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/18 10:25:30.0485 2164 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/18 10:25:30.0547 2164 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/18 10:25:30.0563 2164 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/18 10:25:30.0610 2164 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/18 10:25:30.0657 2164 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/18 10:25:30.0704 2164 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/18 10:25:30.0766 2164 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/18 10:25:30.0860 2164 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/18 10:25:30.0891 2164 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/18 10:25:30.0985 2164 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/09/18 10:25:31.0157 2164 SASDIFSV (39763504067962108505bff25f024345) C:\DOCUME~1\Ish\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS
2011/09/18 10:25:31.0188 2164 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\DOCUME~1\Ish\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS
2011/09/18 10:25:31.0376 2164 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/09/18 10:25:31.0422 2164 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/18 10:25:31.0485 2164 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/18 10:25:31.0547 2164 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/09/18 10:25:31.0579 2164 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/09/18 10:25:31.0610 2164 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/09/18 10:25:31.0735 2164 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/09/18 10:25:31.0844 2164 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/18 10:25:31.0876 2164 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/18 10:25:31.0954 2164 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/18 10:25:32.0032 2164 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/18 10:25:32.0063 2164 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/18 10:25:32.0266 2164 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/18 10:25:32.0344 2164 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/18 10:25:32.0407 2164 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
2011/09/18 10:25:32.0485 2164 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/18 10:25:32.0532 2164 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/18 10:25:32.0626 2164 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/18 10:25:32.0719 2164 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/18 10:25:32.0798 2164 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
2011/09/18 10:25:32.0860 2164 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2011/09/18 10:25:32.0907 2164 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2011/09/18 10:25:32.0954 2164 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2011/09/18 10:25:33.0016 2164 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/18 10:25:33.0094 2164 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/18 10:25:33.0282 2164 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/09/18 10:25:33.0344 2164 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/09/18 10:25:33.0407 2164 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/18 10:25:33.0438 2164 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/09/18 10:25:33.0485 2164 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/18 10:25:33.0626 2164 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/18 10:25:33.0673 2164 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/09/18 10:25:33.0751 2164 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/18 10:25:33.0813 2164 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/18 10:25:33.0845 2164 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/18 10:25:33.0891 2164 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/18 10:25:33.0907 2164 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/18 10:25:34.0095 2164 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/18 10:25:34.0220 2164 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/09/18 10:25:34.0282 2164 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/18 10:25:34.0454 2164 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/09/18 10:25:34.0532 2164 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/18 10:25:34.0673 2164 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/09/18 10:25:34.0735 2164 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/18 10:25:34.0860 2164 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/18 10:25:34.0923 2164 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
2011/09/18 10:25:35.0063 2164 Boot (0x1200) (c885456e27f14a7231ef9fc5932be1ee) \Device\Harddisk0\DR0\Partition0
2011/09/18 10:25:35.0079 2164 ================================================================================
2011/09/18 10:25:35.0079 2164 Scan finished
2011/09/18 10:25:35.0079 2164 ================================================================================
2011/09/18 10:25:35.0110 2156 Detected object count: 1
2011/09/18 10:25:35.0110 2156 Actual detected object count: 1
2011/09/18 10:25:56.0081 2156 i8042prt (107f61e666571664facbf1a01c9a8a75) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/18 10:25:56.0081 2156 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: 107f61e666571664facbf1a01c9a8a75, Fake md5: 4a0b06aa8943c1e332520f7440c0aa30
2011/09/18 10:25:58.0862 2156 Backup copy found, using it..
2011/09/18 10:25:58.0878 2156 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
2011/09/18 10:25:58.0878 2156 Rootkit.Win32.TDSS.tdl3(i8042prt) - User select action: Cure
2011/09/18 10:26:11.0098 3996 Deinitialize success

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 09:33 AM

Very good

Please give ComboFix another try > it should run properly now

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 09:45 AM

Combofix can run now bit it tells me that AVG is active but when I bring up the AVG console it says "There are no active components". I checked Services and no AVG named components are running.

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 09:53 AM

Please uninstall AVG,

use the AVG removal tool

(you can install an AV when we are done)


After uninstalling AVG from the Control Panel, also run the AVG remover from their site.

http://www.avg.com/us-en/download-tools

You may also use this tool to uninstall AVG:
http://www.appremover.com/get/appremover.exe

Instructions:
http://www.appremover.com/about/using-appremover.html

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 10:45 AM

I had to use the "appremover" tool to uninstall AVG as its utility produced the following:

Severity: Error
Error code: 0xC0070643
Error message: General internal error
Additional message: Driver installation failed (0x00000000)
Context: MSI action failed

Once uninstalled I was able to run combofix and attach the log.

Attached Files

  • Attached File  log.zip   50.05KB   3 downloads


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 11:00 AM

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic419257.html/page__pid__2412015#entry2412015

Collect::
c:\windows\system32\drivers\gkjpygxr.sys

Driver::
lvlvimtkzyij

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 11:29 AM

New combofix log is attached. I'll run MBAM and ESET and post their logs when complete.

Attached Files



#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:33 AM

Posted 18 September 2011 - 12:31 PM

Once those scans have completed, please do the following as well:



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\program files\Mozilla Firefox\f.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 burntout

burntout
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:33 AM

Posted 18 September 2011 - 07:05 PM

MBAM completed with nothing found:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7743

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/18/2011 12:34:14 PM
mbam-log-2011-09-18 (12-34-14).txt

Scan type: Quick scan
Objects scanned: 179021
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET also reported nothing found and did not present a log.

The virustotal page is here.

The file c:\program files\Mozilla Firefox\f.exe is a renamed copy of firefox.exe that I use since running the normal firefox.exe had resulted in the BSOD.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users